Custom visual content and RBAC

vishalvpv · July 7, 2022, 4:09pm

Hi All,

We want to add a custom javascript based chart (e.g. d3 based) in our existing dashboard.

Below video helps create the custom visualization and embed in quicksight:

However, it is not clear how to enable security for the custom visual content i.e. only the user with access to the data should be able to see the visualization. Could you please help?

Best Regards,
Vishal

Jesse · July 7, 2022, 10:31pm

Hi @vishalvpv - you wont be able to have QuickSight enforce any RLS on the custom visual you inserted. It is basically an iFrame to QuickSight. Are you by chance embedding the dashboard into another application? If so, you can use the ‘Free-form’ layout type in your analysis, which enables some new options in the visual format menu, such as ‘Rules’. There you can create a condition that if a given parameter is set to XYZ, the visual should show or not. If you are embedding the dashboard, you can set the value of that parameter using the Embedding SDK which will either show or hide the entire visual (assuming your app knows who the user is and if they should see the visual or not).

vishalvpv · July 8, 2022, 5:34am

Thanks for your reply Jesse. I will try this out and update on my findings.

Best Regards,
Vishal

vishalvpv · July 11, 2022, 11:54am

Hi @Jesse - Yes we want to embed the dashboard in a web application.

We created a html page with a custom visualization and saved it on AWS s3. However, we need to make this html page public (public access to the bucket + getobject access via s3 policy) so that Quicksight can access it. When the html page was not public Quicksight gave access denied error.

If we make this html page public then it will be accessible to everyone on the internet and it will be a security issue as the data is sensitive. Thus the rules based approach might not work as the page is accessible to everyone on the internet outside of QuickSight.

Am I missing anything? Any suggestion on the correct approach?

Best Regards,
Vishal

vishalvpv · July 12, 2022, 12:05pm

Also, created a parameter and set it to pre-signed s3 url. However, Quicksight encodes the pre-signed url and the custom visualization is not seen due to incorrect credentials.

Best Regards,
Vishal

ArunSanthosh · July 13, 2022, 4:43am

Hi Vishal,

You can get around this issue by having an intermediate site (public facing) plugged into custom visual. Then, you can pass base64 encoded s3 presigned url as a parameter and have that passed as a query string parameter to the public facing site in the custom visual. Using JS (in the public facing site), extract the query string parameter, base64 decode it and iframe it.

Regards,
Arun Santhosh

vishalvpv · July 13, 2022, 10:30am

Thanks @ArunSanthosh. This helps but might not work from user experience perspective.

Below are my conclusions based on the discussions in this thread:

Quicksight custom visual content feature is to integrate external content that is publicly available within a dashboard. e.g. videos, website, wiki etc.
Custom visual content feature is not meant to integrate secure content. Workaround is possible using pre-signed url on s3 (using an intermediate site) but user experience will suffer.
Unlike PowerBI custom visuals, Quicksight custom visual content feature is not meant to support charts / visualization that are not natively a part of Quicksight as security is absent and underlying analysis dataset cannot be referred to from the js code in the custom visual content.

It would be really good if Quicksight implements custom visuals like Power BI. That way Quicksight will become very powerful in terms of the number of charts that can be supported.

Best Regards,
Vishal

ArunSanthosh · July 13, 2022, 5:23pm

Hi Vishal,

Most welcome.
Custom visual content doesn’t have inbuilt auth mechanism. So, you can use it to serve public facing content or private content wherein auth is handled by the embedded website. It does give you a workaround to embed custom visuals and you can make that flow work in a secured mode as well with additional constructs. But it is a workaround and not a prescribed way to bring in custom charts. We do have a product feature request (Internal link) in play for custom charts that are fed from QuickSight datasets. You can ask your TAM/Account SA to add a customer influence to above linked PFR. In case, your org doesn’t have an assigned TAM/Account SA, send me your org detail at arunsant@amazon.com and I can add the customer influence for you.

Regards,
Arun Santhosh

vishalvpv · July 14, 2022, 8:14am

Thanks @ArunSanthosh. I have sent the org details via email.

Blockquote
private content wherein auth is handled by the embedded website. It does give you a workaround to embed custom visuals and you can make that flow work in a secured mode as well with additional constructs.

By auth handled by the embedded website do you mean using pre-signed url or any other approach? Is there a documentation link you could share? Could you please elaborate on the additional constructs part?

Best Regards,
Vishal